CVE-2024-4577

Name of the Vulnerable Software and Affected Versions PHP versions 8.1.0 through 8.1.28 PHP versions 8.2.0 through 8.2.19 PHP versions 8.3.0 through 8.3.7

Description An argument injection issue exists in PHP when using Apache and PHP-CGI on Windows. The flaw occurs because the Windows implementation of PHP does not account for "Best-Fit" behavior, where Unicode characters are converted to the closest matching ANSI characters based on specific system code pages. A remote attacker can send specially crafted HTTP requests containing specific character sequences that the PHP CGI module misinterprets as PHP options. This allows the attacker to pass arguments to the PHP binary, potentially revealing script source code or achieving remote code execution (RCE).

Real-world exploitation has been observed globally, including in Japan, Taiwan, Hong Kong, the USA, UK, Singapore, Indonesia, India, Spain, and Malaysia. Attackers have used this flaw to deploy the Msupedge backdoor, Quasar RAT, and XMRig cryptocurrency miners. In some campaigns, such as the Contagious Interview campaign targeting developers, this vulnerability was found in XAMPP server configurations. Attackers have also been observed using tools like JuicyPotato to escalate privileges and Cobalt Strike TaoWu plugins to create malicious services.

Recommendations Update PHP version 8.1.x to 8.1.29. Update PHP version 8.2.x to 8.2.20. Update PHP version 8.3.x to 8.3.8. As a temporary mitigation, avoid running PHP in CGI mode.